Starting today, across the threat landscape security teams can correlate alerts to focus on what matters most, automate investigation and response and self-heal affected assets, and simplify hunting for indicators of attack unique to an organization. They can also use Microsoft Threat Protection to centrally view all detections, impacted assets, automated actions taken, and related evidence.

Move from alerts to incidents

Weare introducing the concept of “incidents,”previouslyavailable only for endpoints. These incidents correlate alerts across threat vectors todeterminethe full scope of the threatacross Microsoft 365 products.

For example, we can correlate the following attack sequence: Office 365 ATP observes a malicious email attachment. That attachment contains a weaponized Word document that is opened on the endpoint and observed by Microsoft Defender ATP. The attack then launches queries to the domain controller in search of user accounts to abuse, which is observed by Azure ATP. And, finally, corporate data is exfiltrated to a personal OneDrive account, which is observed by Microsoft Cloud App Security.

All related alerts across the suite products presented as a single incident (alerts view)

Cross-product incident (Incident overview)

Automate threat response

Critical threat information is shared in real time between Microsoft Threat Protection products to help stop the progression of an attack. The central Microsoft Threat Protection logic orchestratesand triggers actions on the individual products. This includes blocking malicious entities and initiating automatic investigation and remediation.

For example, if a malicious file is detected on an endpoint protected by Microsoft Defender ATP, it will instruct Office 365 ATP to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.

Self-heal compromised devices, user identities, and mailboxes

Leveraging the capabilities of the suite products, the integrated solution uses AI-powered automatic actions and playbooks to return all impacted assets to a secure state. Within the portal security teams can use the Action Center tocentrally view results of all automated investigations and self-healing actions and approve or undo specific actions.

Action Center –see pending and historical actions taken by analysts

Cross-product threat hunting

Security teams can leverage their unique organizational knowledgelike proprietary indicators of compromise, org–specific behavioral patterns, or free–form research to hunt for signs of compromise by creating custom queries over raw data. Microsoft Threat Protection provides query-based access to 30 days of historic raw signals and alert data across endpoint and Office 365 data.